12

I used TrueCrypt for a long time in Kubuntu, in which I used a keyboard shortcut to automatically mount a drive. Nowadays I use VeraCrypt, but I am always prompted for my sudo password after entering the password for the encrypted drive. This was never necessary in TrueCrypt.

It occurred to me that I could potentially mount the drive as a removable media (this is an operation that does not require a root password), but when mounting the drive to /mount/ (which is where removable media is mounted), I still get the sudo password request.

Furthermore, an option in VeraCrypt allows Volume Mounted as Removable Medium, but this option simply doesn't exist in the version I'm running in Linux (v1.19).

What is going on here? How can I request that the VeraCrypt mounting process behave like removable media? Entering my password every mount and dismount is irritating.

jmbeck
  • 221
  • 1
  • 2
  • 3
  • Non-system volumes can be mounted during the session without password by selecting Settings > 'System Encryption' and enabling 'Cache pre-boot authentication password in driver memory'. Does this help? – harrymc Nov 19 '16 at 18:53
  • In VeraCrypt? I don't have that option. I _do_ feel like features are missing in my copy of VeraCrypt that are described in their help documentation, but I suspect they are disabled in the Linux version. – jmbeck Nov 19 '16 at 20:29
  • 1
    There is nothing wrong with using TrueCrypt, you know, except that it's no longer supported. – harrymc Nov 19 '16 at 21:10
  • @harrymc Has support for this been dropped, or was it always only available in Windows? The Changelog doesn't state anything. – mat Apr 13 '17 at 14:32
  • @mat: TrueCrypt support and development have been stopped - the developers just walked away. Although its last version still works as well as it always did, it's recommended to use instead VeraCrypt. – harrymc Apr 13 '17 at 15:01

2 Answers2

6

One option would be to set the the SUID bit on veracrypt. This would make sure it took on root privileges whenever run.

# chmod u+s /usr/bin/veracrypt

Generally, however, I try to avoid the SUID or SGID bits, as they allow any user with permission to execute the binary to use it at elevated privileges.

A better option:

Another option you have if you've got sudo is to create a group with password-free sudo privileges for veracrypt.

This is definitely a still a little less secure than always requiring a password, as is always the case when creating sudo rules like this. Make sure you read this carefully and understand what it entails to ensure you do not create a security risk!

Before you begin, you want to ensure that the /usr/bin/veracrypt binary is not writable by group or other.

Confirm that it is not writable by another other than the owner:

$ ls -lha /usr/bin/veracrypt
-rwxr-xr-x 1 root root 7.1M Sep 11  2019 /usr/bin/veracrypt

First, create a new group:

# groupadd veracrypt_group

Next, add your user(s) to the group:

# usermod -aG veracrypt_group your_user

Now you now use visudo to create a new sudo rule:

# visudo -f /etc/sudoers.d/veracrypt

This one will allow the veracrypt_group to run /usr/bin/veracrypt without a password.

%veracrypt_group ALL=(root) NOPASSWD:/usr/bin/veracrypt

Jeff Alyanak
  • 161
  • 1
  • 3
  • 1
    Thanks! To completely get rid of a password prompt I needed to add `mount` and `uptime` to the sudo rule: `%veracrypt_group ALL=(root) NOPASSWD:/usr/bin/veracrypt, /usr/bin/mount, /usr/bin/uptime` – ouk Apr 03 '22 at 10:45
1

I had this problem in Linux Mint when my veracrypt container was in a directory not owned by the user opening the container. Even though the user could write to that directory (and owned the container file). Moving it to a folder that the user owns stopped veracrypt from prompting for an admin password.

jtbr
  • 243
  • 3
  • 7